Notes and Action Items: Grouper Call of Wed. 13-Jan-2016
Attending: Chris Hyzer, Shilen Patel, Misagh Moayyed, Bert Bee-Lindren, Tom Barton, Emily Eisbruch
New Action Items from Jan 13, 2016 call
[AI] (Chris) will provide Shilen with hibernate mapping example
[AI] (Chris) make a JIRA about renaming of Loader to Daemon and share it with the list
[AI] (Bert) email DaveL to clarify the conflict handling issue in Post PSP Provisioning wiki
.[AI] Shilen look at GrouperKimModule and make it compile with attributes/types
[AI] ( Misagh) look on Grouper wiki for Java doc links and change them to grouper.io
[AI] (Shilen) create a wiki documenting the Loader work - not done yet
Review AIs from previous call
[AI] (Shilen) create a wiki documenting the Loader work - not done yet
[AI] Chris will work on Security Configuration issue (done)
[AI} (Emily) tell Dean we’d like Grouper IAM Online in July 2016 (done)
[AI] ( Emily ) submit request for a Grouper BOF at Global Summit (done)
Discussion
Current work tasks
see Roadmap
Chris: GSH export/import, Messaging changelog consumer
issue around attributes
loader jobs, editing attributes
this work enables specifying a folder and a filename for exporting to GSH
allows one to “give this subject same permissions as other subject”
Bert asks about the change log consumer.. Chris says it it not quite ready yet
Chris send bert email on using messaging
1. https://spaces.internet2.edu/display/Grouper/Grouper+messaging+built+in
Shilen: Loader, Hibernate? Other?
Shilen says most of the Hibernate work is done and things are working
some tests are broken, but this does not seems to be due to hibernate issues
Shilen has not worked on the Loader recently. Will get back to the Loader work
Shilen fixed the quartz tables (prefixed table names with ‘grouper’)
got MSQL to work without creating temp tables in background
how to put queries into code using hibernate mapping?
Chris will provide Shilen with and example
[AI] (Chris) will provide Shilen with hibernate mapping example
Bert: should we rename the Loader to Grouper Daemon?
Chris: Q: would we rename the java project?
A: we could just clarify in documentation
Shilen: agree, we should call it Grouper Daemon
The upgrade could rename the config file
can’t support both config file names due to the way the config overlay works
[AI] (Chris) make a JIRA about renaming of Loader to Daemon and share it with the list
PSP NG (Bert)
Chris: should we do a new config file for PSP?
Bert: yes
Bert will create a project under PSP
In the future there could be a lot of destinations
For now we are focusing on 3 LDAP targets
Misagh: follow the Grouper Misc project
make Grouper.psp under main directory and have sub projects under that
Grouper.psp/grouper-psp-ldap/
Grouper.psp/grouper-psp-core
Need configuration code examples:
*LDAP Pool setup, reusing as much information as possible from sources.xml or elsewhere
*Provisioner config: Implementing an overlay-based config providing the following information:
-LDAP-Pool info
-Destination Type (Active Directory Groups, LDAP Groups, LDAP Account Attributes)
-Destination Details (OU, Group-creation template, group layout, nested or flattened groups, attribute-values, etc)
-Subject-finding - Groups and Non-Groups (Search Base/search filter or GeneratedDn)
Questions:
*Given overlaid configurations, should we have defaults in Code or in an OOTB overlay paragraph. For instance, should the Active-Directory-Group provisioner class have attribute-value paging enabled or should that be enabled
only in an active-directory overlay?
Chris: put everything that can be configured in the base properties file.
*From https://spaces.internet2.edu/display/Grouper/Post+PSP+Provisioning#PostPSPProvisioning-FirstImplementations
What conflicts need to be handled by Conflict Handling?
could be conflict when provisioner thinks one thing and destination things another.
[AI] (Bert) email DaveL to clarify the conflict handling issue in Post PSP Provisioning wiki
*How does incremental provisioning protect from >N% removals?
Tom: something can go wrong upstream. Might want sanity check of the loader. Would be good to throw a flag up so if it’s a problem, it can be managed.
Bert - at GA Tech , flattened groups are used.
What ends up getting provisioned?
should nested groups in AD be supported or could we just flatten all indirect memberships and put them in the parent group?
Tom: problems supporting a nested structure once it gets deeper
Misagh: queries against nested model are “expensive”
Tom: Flattened membership is different from flat vs bushy
How to handle groups with sub-groups? should those be flattened? [Yes]
hard to make access control decisions with recursion
Bert - inclined to flatten memberships for provisioning
Chris: use 80 / 20 rule for first release - provision flattened memberships
Then ask the list if next release should offer more options
Have a configured minimum-group-size before safety-net kicked in
Summary:
· Misagh: Building and packaging
-
https://spaces.internet2.edu/pages/viewpage.action?pageId=87755940
-
Travis is now able to build Grouper via gradle 2.10. All Grouper modules are converted. https://travis-ci.org/Internet2/grouper/builds
-
Javadocs are automatically published: https://internet2.github.io/grouper/ There
are lots of failures/errors with Javadocs. Those are ignored for the time being.
-
Need a fix on the compile issue of the kim module. Something with the old GroupType class.[AI] Shilen look at GrouperKimModule and make it compile with attributes/types
-
Need access to the Settings area of the repository so I can configure automatic snapshots to Sonatype. Contacted tech-support. Already have access to sonatype. Snapshots will be published on every successful build of Travis, which is trigger per every commit
to the relevant branch (i.e. master)
-
All work is published to the gradle branch of the repository. I merge with master periodically.See the travis.yml file on build instructions. Will document on the wiki too.
-
Will be working on the Travis build to auto configure and run tests based on Hyzer’s instructions.
-
Will be working on WS and UI next to package the wars, etc.
-
Will likely miss the next Grouper call. Travel.
Should we change the links in the Java docs?
Should training videos be updated?
[AI] ( Misagh) look on Grouper wiki for Java doc links and change them to grouper.io
Chris suggests using a text editor with search and replace.
· Vivek: WS
TIER update
· Packaging Survey questionpro.com/t/AK1buZTO63
-survey is due Jan 15, 2016
Issue roundup
· Grouper GSH import/export (other tasks? Clone privileges / memberships of subject?)
· Grouper/Box
· COmanage/SCIM (send messages to WS from grouper change log)
(Benn Oshrin and Chris have been talking about this)
· Licensing/copyright of contributed work
· Api log4j locations
· Grouper ui errors (waiting on logs)
Unboundid and apacheds unit Testing - Misagh has some examples to shar
Sample unboundid ldap server:
https://github.com/UniconLabs/unboundid-ldap-server
Next Grouper Call: Wed Jan. 27, 2016
Emily Eisbruch, Work Group Lead, Trust and Identity
Internet2
office: +1-734-352-4996 | mobile +1-734-730-5749